Like many bankers on both sides of the Atlantic, HSBC’s Dan Johnson sees great benefit in digital identity systems for financial institutions and their customers. But he also sees a big obstacle.

In a word: liability.

“When things go wrong — not if, when things go wrong — who’s culpable?” Johnson, the head of digital identity at HSBC, said Monday, during a presentation at the Cloud Identity Summit in Chicago. “How is it going to work? What happens when bad actors get introduced into the system?”

Federated identity systems allow users to reuse credentials at multiple sites. This adds convenience and reduces the transfer of sensitive personal information, but without strong standards creates "unbounded, unallocated risk."
Federated identity systems allow users to reuse credentials at multiple sites. This adds convenience and reduces the transfer of sensitive personal information, but without strong standards creates "unbounded, unallocated risk." Source: Jeremy Grant, managing director at Venable, presentation at Cloud Identity Summit, June 20, 2017

Banks such as Capital One and U.S. Bank have been looking at ways to monetize the considerable work they do vetting customers by selling identity verification services to other businesses. An electrical utility wouldn’t have to ask a new customer to upload a driver’s license, for example, if her bank could just zap the data over; a site that sells wine online wouldn’t need to collect a user’s birthdate if the bank vouched that he was over 21. Banks in Canada and Europe already provide services along these lines.

Conversely, if banks were allowed to rely on the work other organizations have done to identify customers they could eliminate redundant paperwork and spare the customer a branch visit to open another account.

“All of that maintenance, all of that effort costs the bank a lot of money to do, but also it’s a horrible user experience,” said Johnson, who is based in London and joined HSBC in October 2014.

In so-called federated identity systems, a user can log in to one website (say, Google or Facebook) and then access others without having to create another profile or type another username and password each time. The other sites trust that the identity provider has authenticated the user to a certain standard.

Of course, using Facebook to connect to Candy Crush is decidedly lower stakes than using your Chase credentials to open a Wells Fargo account.

“We’ve got high risk between all three parties,” said Jeremy Grant, managing director for technology business strategy at the law firm Venable, in a separate presentation at the conference. “Without any certainty as to how the risk would be mitigated or allocated in a federation system, the market is stalled.”

Virginia is trying to solve the impasse. In 2015, Gov. Terry McAuliffe signed a law that creates a legal framework for identity systems and limits liability for identity providers if they follow high standards and best practices.

In theory, this should reduce the risk to the system, but if the standards aren’t strong enough it could just transfer risk from the providers to individuals and relying parties, further discouraging participation, Grant cautioned. He sits on an advisory council that is helping Virginia to craft standards that are “beyond reproach.” (The eight-person council includes a financial services representative, Katie Crepps, a vice president for card technology at Capital One.)

But banks would need a lot to change before they would partake in this sort of outsourcing of identity provision. At the moment, they are clearly liable, under anti-money-laundering and know-your-customer rules, if they provide accounts to bad actors, wittingly or not. (HSBC knows this all too well. In 2012, two years before Johnson came on board, the international bank paid a $1.9 billion fine to the U.S. government for AML lapses.)

“We need regulatory change so we can accept data without necessarily having to check that data,” Johnson said. “That new model needs to be created in order to allow for digital identity to work successfully in the financial sector.”

More broadly, governments would need to endorse identity systems for the public to trust them, and they’d have to work together to make identities globally interoperable.

“You should be able to take an identity created in the U.S., for example, and then open a bank account in the U.K.,” Johnson said. “You shouldn’t need to have to prove residency. You shouldn’t need to turn up in a branch in the U.K. ... You should be able to assert your identity, your U.S. identity, in the U.K. — providing that the U.K. government trusts the U.S. government and vice versa.”

While Johnson played it close to the vest about HSBC’s plans during his presentation, he hinted that the bank envisions itself as a potential relying party in a future federated system, rather than as an identity provider. In other words, it would leverage the information already gathered by other banks rather than give a customer the third degree all over again.

“There are lots of identity providers. There aren’t so many identity consumers,” he said, noting that in most existing schemes in which the private sector provides identity, the government tends to be the sole relying party.

To make digital identity portable, “we need a set of rules and a set of standards that allow us to be able to consume that data and fundamentally not have to check that data against other sources,” Johnson said. “Otherwise we’ve just added to our already existing workload.”